IPv6 Malware Examples and Other Web Attacks

Malware in IPv6 Tunneling Over IPv4

IPv4 to IPv6 tunneling enables the integration of two different private networks and is accomplished by encapsulating the information that’s to be transmitted into public networks. In the same way, IPv6 can also encapsulate malware to be distributed. Since most of the operating systems already support IPv6, the transmitted malware can establish a tunnel in order to transmit information outside the private network without the user’s knowledge. The auto-configuration features of IPv6 make this possible where it needs an Access Control Layer. In this example, IPv6 malware assigns its own IP address without a DHCP server. Using this type of tunnel, malware authors may gain the ability to send crafted IPv6 packets capable of bypassing perimeter established security.

IPv6 Routing Worms and Viruses

Some viruses and worms, especially those zvelo has detected and categorized as “routing worms,” conduct reconnaissance that lead to massive network flooding from the scanning of network address-spaces. This kind of processing burdens routers, services and infected hosts. Random scanning of routing worms and viruses such as Core Red, Slammer, Blaster and Witty Worm may have a difficult time scanning an IP address-space within IPv6 networks. Unfortunately, implementing IPv6 is not the ultimate solution in preventing worms and viruses. The malware author can employ clever techniques to circumvent the large IPv6 address-space, such as the use of email and web based strategies or removable media to in order to propagate viruses and worms.

IPv6 ARP Spoofing and ICMP Redirects Attacks

Redirecting network traffic by posing as a router or a multicast listener discovery service is one of the most common IPv6 network attack methods. ARP spoofing and ICMP redirects are methods used to redirect the traffic in IPv4. Since ARP was replaced by the Network Identifier portion in the IPv6 packet (i.e. Neighbor Discovery), traditional ARP spoofing will not work in the IPv6 network. However, with the Neighbor Discovery feature of IPv6, an attacker can still rely on ICMPv6 for the same operations of ARP spoofing. ICMPv6 is not limited in address spoofing. The configuration of IPv6 networks relies on the router advertising which network it is willing to route, making it possible for the attacker to intercept valid router advertisements in lieu of fake ones.

IPv6 DoS Attacks

The motive of a Denial of Service (DoS) attack is to disable a service through resource exhaustion. DoS attacks do exist in IPv6. An example of this is the IPv6f**k malware. This malware function uses a protocol type DoS attack, specifically TCPSYN flooding. TCP SYN flooding is achieved by sending packets with an incomplete handshake connection to an intended victim. The victim, in return, will have to complete the packet. This packet will be sent until the victim’s resources are exhausted, resulting in failed delivery of the desired services.

For over 20 years, we have been delivering industry-leading URL Database, Web Categorization, & Malicious Detection solutions for OEMs. We are proud to develop, deploy, and deliver systems used by the leading network security and antivirus companies to make the internet a safer place for all! We Categorize the Web!